Data Processing Addendum
Last updated: July 16, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Besmi LLC ("Besmi") and the professional or business that uses the Besmi platform ("Customer," "you"). It applies when Besmi processes personal information about your clients on your behalf. If there is a conflict, this DPA controls for such processing.
1. Roles
For personal information you collect about your own clients through the Service (for example contact details, appointments, intake responses, photos, and messages), you are the controller/business and Besmi is your service provider/processor. Besmi processes that information only to provide and support the Service, following your documented instructions (including your configuration of the Service) and this DPA. For your own account and business data, Besmi is the controller as described in the Privacy Policy.
2. Scope of Processing
- Subject matter and duration: processing of client personal information for the term of your account.
- Nature and purpose: booking, client management, intake, messaging, payments, reminders, and related support.
- Categories of data subjects: your clients (and any staff you add).
- Categories of data: identifiers and contact details, appointment and commercial history, communications, and any intake content you choose to collect, which may include sensitive information (such as health details), signatures, and photos.
3. Besmi's Obligations
- Process client personal information only for the purposes above and per your instructions, and not sell it or share it for cross-context behavioral advertising, or use it for our own unrelated purposes.
- Ensure personnel with access are bound by confidentiality.
- Implement and maintain reasonable technical and organizational security measures (Section 5).
- Assist you, taking into account the nature of processing, in responding to client rights requests and in meeting your security, breach-notification, and assessment obligations.
- Make available information reasonably necessary to demonstrate compliance with this DPA.
4. Your Obligations
You are responsible for the lawfulness of the client personal information you collect and how you use it, including providing your clients with a privacy notice and obtaining any consent the law requires (for example for marketing messages or sensitive information), and for honoring your clients' rights and opt-outs. Your instructions to Besmi must comply with applicable law.
5. Security
Besmi maintains safeguards designed to protect client personal information, including encryption in transit, authenticated and access-controlled data changes, tenant isolation, and restricted administrative access. No safeguards are perfect, and security is a shared responsibility that includes your account and credential hygiene.
6. Sub-processors
You authorize Besmi to engage the sub-processors listed in the Privacy Policy (including Google/Firebase, Stripe, Twilio, SendGrid, and Google Gemini) to help provide the Service. Besmi remains responsible for its sub-processors' performance of these obligations and will impose data-protection terms on them. We will provide notice of material changes to our sub-processor list through the Privacy Policy.
7. Data Subject Requests and Breach Notice
If Besmi receives a request from one of your clients to exercise their privacy rights, we will, where permitted, direct it to you or assist you in responding. Besmi will notify you without undue delay after becoming aware of a personal-data breach affecting client personal information it processes for you, and will provide information reasonably available to help you meet your notification obligations.
8. Return and Deletion
On termination of your account, Besmi will delete or de-identify client personal information it processes for you within a reasonable period, except where retention is required by law. You are responsible for exporting any data you wish to keep before deletion.
9. International Transfers
The Service is operated from the United States, and client personal information may be processed in the United States and other countries where our sub-processors operate. You are responsible for ensuring you have a lawful basis to transfer client personal information to Besmi for such processing.
10. Contact
Questions about this DPA: support@besmi.com